Faced with increasingly numerous and sophisticated cyberattacks, WhatsApp has three new security features to prevent identity theft and ensure that conversations remain private.
With more than 2 billion users worldwide, WhatsApp is regularly targeted by cybercriminals, who try to use the notorious messaging service to steal users’ personal data, hack into their devices or extort money from them. At the moment, the so-called “six-digit texting” scam, where a “friend” contacts the victim to send him the code he has just received, is causing havoc (see our article). One of the main threats comes from malware that takes control of smartphones to send unwanted messages through victims’ accounts. Also, even though WhatsApp is end-to-end encrypted – which prevents hackers from seeing the content of messages, since senders and recipients are the only ones able to read them – and double authentication limits account theft, Meta has decided to reinforce the security of its instant messaging system thanks to several functions, which must offer “more privacy and more control over your messages”as she announces in a blog post. They will be deployed in the coming months and automatically applied.
WhatsApp Device Verification: protection against malware
The first function, called Device Verification, aims to fight against malicious software. Indeed, with end-to-end encryption, no one – not even WhatsApp – can read the messages sent between users. The latter are therefore protected against interception, but remain vulnerable if cybercriminals infect the communication endpoints, namely the mobile devices themselves. In this case, hackers can steal the authentication key, and thus impersonate the victim in order to send spam, scam or phishing messages to other potential victims.
This is why Meta has decided to add verifications to authenticate the account and better protect the user if the device has been compromised. Device Verification introduces three new settings for “prevent malware from stealing the authentication key and connecting to the WhatsApp server from outside the user’s device” : a security token stored on the user’s device, a nonce – an arbitrary number that can only be used once – to identify if someone logs in to retrieve a message from the WhatsApp server, and an authentication challenge in case suspicious connection – an invisible PING sent by the WhatsApp server to the user’s device. To put it simply, these different elements will make it possible to automatically block hacking attempts, without the user being disturbed. WhatsApp has started rolling out Device Verification on Android and is expected to do the same on iOS soon.
WhatsApp security: functions to prevent identity theft
WhatsApp will also welcome two other new security features. The first, called Account Protect, alerts the user when instant messaging accounts are linked to new devices. A window saying “Do you allow transfer of your WhatsApp account to another phone?” with the time of attempt and the recipient device is displayed on the user’s device, in order to warn him in case of an unauthorized attempt to use his account on another device. If it validates the transfer, the WhatsApp account is no longer available on the old device.
The second feature, titled Automatic Security Codes, is “a cryptographic security feature to automatically verify a secure connection based on key transparency”. This device is already available, but in a form that is not very practical. Indeed, in the contact information, the user can verify that the conversation is safe by clicking on “Encryption”, then asking the contact to confirm the security code via a QR Code. To make this process easier and more accessible, Meta is rolling out a new security feature based on Key Transparency technology. By clicking on the “Encryption” tab, users can now immediately verify that their conversation is secure. This saves time!